[RFE] Basic Authentication Support for Standalone Neutron

Initial patch for reference: https://review.opendev.org/c/openstack/neutron/+/800410

Hello Rabi:

As commented by Akihiro in the patch, this RFE should be discussed in the drivers meeting [1]. You can add your topic in the "On Demans agenda" [2].

Regards.

[1]https://meetings.opendev.org/#Neutron_drivers_Meeting
[2]https://wiki.openstack.org/wiki/Meetings/NeutronDrivers

Thanks Rodolfo, added.

IMHO neutron is not a place to implement features provided by web servers like this. I see two reasons below:

- This kind of feature is already suppored by web servers and neutron API can be deployed via WSGI. Or you can apply basic auth via proxy (for example with nginx). They have more users so features like this are well tested. OpenStack community has improved WSGI support to leverage web server features to avoid duplicating/re-implementing features achieved in web servers.

- Another reason is from the perspective of WSGI middleware. Adding a middleware to support the basic auth is another way (when you would like to avoid using a web server or a proxy suggested in the first point). Even in this case, neutron is still not a project which implements web server features. Such middleware can be hosted/developed separately from neutron. I see at least one middleware for WSGI basic auth [1]. If existing middleware(s) does not satisfy your requirements, I would suggest to develop a new middleware outside of the neutron repo (of course it can be hosted anywhere) and publish it to PyPI. Anway, a deployment who would like to use it can configure neutron api-paste to include a middleware in the middleware pipeline to achieve your requirement.

My first impression is that it does not fit into neutron at least.

[1] https://github.com/mvantellingen/wsgi-basic-auth

Hi Akihoro,

Thanks for the feedback.

I agree that there can be number of ways basic-auth can be implemented. However, as I mentioned in my report, this is mostly for "standalone neutron" use-cases where having a webserver/proxy etc is an overhead and not feasible and there is a valid use-case for it in TripleO undercloud.

let's discuss tomorrow.

I think there are some gaps and issues for deploying neutron with httpd+mod_wsgi. Looks like for those reasons both TripleO[1] and kolla-ansible[2] don't deploy that way (unlike other services). Therefore I don't see that's an feasible option for TripleO without fixing those issues in neutron.

I've encountered a few initial issues deploying neutron with httpd+mod_wsgi.

1. There is this confirmed bug[3] of keystonemiddleware issue with neutron. I did hit that issue as you can see here[4][5]

2. There is no way to specify multiple config files or config-dirs[6] (for plugins) as required by many of the production deployments.

I've been told that there are more permissions and selinux issues.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/neutron/neutron-api-container-puppet.yaml#L421

[2] https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/neutron/templates/neutron-server.json.j2#L2

[3] https://bugs.launchpad.net/neutron/+bug/1864418

[4] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_44a/800422/2/check/tripleo-ci-centos-8-scenario007-standalone/44a3b0a/logs/undercloud/var/log/containers/neutron/app.log

[5] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_8fc/800422/5/check/tripleo-ci-centos-8-scenario000-multinode-oooq-container-updates/8fce952/logs/undercloud/var/log/containers/neutron/app.log

[6] https://github.com/openstack/neutron/blob/master/neutron/server/__init__.py#L28-L35

Let's discuss it in the next drivers meeting on Friday 23.07.2021

Is this new basic auth middleware specific for Neutron? Could it be used by other projects as well (potentially)?

We discussed that RFE today on the drivers meeting and we agreed to not accepting it for Neutron. We think that better place for such middleware would be oslo or maybe some new repository.

Change abandoned by "Rabi Mishra <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/800410